LinkedIn credentials being harvested via bogus security notifications

Criminals are targeting LinkedIn users with messages masquerading as legitimate security alerts in a bid to steal log-in credentials.

Symantec engineer Satnam Narang said in a blog post that he uncovered the scam after spotting a number of phishing emails purporting to come from LinkedIn support.

"The body of the email claims that irregular activities have prompted a 'compulsory security update' for the recipient's LinkedIn account," read the post.

"The email goes on to say that, in order to secure their account, the recipient needs to download the attached form (an HTML attachment) and follow the instructions."

Narang explained that the attachment is a copy of the real LinkedIn.com website, but that the source has been modified so that credentials will be sent directly to the attacker if the recipient uses this web page to sign in to LinkedIn.

The attackers reportedly dupe the victim into believing the email is authentic by using a lowercase 'i', as opposed to an uppercase 'I' in the bogus LinkedIn address.

Narang warned that the message is doubly dangerous as the HTML attachment can bypass many browser defences.

Fred Touchette, senior security analyst at AppRiver, told V3 that campaigns like this are increasingly common and that businesses should take the necessary precautions.

"This phishing technique is quite common and can be seen using many different reputable websites as its cover," he said.

"The fact that it uses a webpage and images stolen directly from LinkedIn can add to the illusion that recipients are at the actual LinkedIn site, but the fact that this page was sent as an HTML attachment should raise a giant red flag."

Narang recommended that LinkedIn users should turn on the service's two-step verification to protect against this type of attack.

"With two-step verification enabled, even if a user's credentials are compromised, an attacker would not be able to log-in without having access to the user's mobile phone," he said.

Security providers have been urging services such as LinkedIn to turn two-step verification on by default for some time, as it is responsible for allowing hackers to infiltrate numerous systems.

Criminals are believed to have taken advantage of a lack of two-factor authentication on many iCloud accounts to steal celebrities' personal files in 2014.